Renew Access Token using Refresh Token

[jay-dee7]

We're using JSON Web Tokens for Authentication so far and planning to use it for embedding Authorisation flow as well.

A common pattern with JWTs is to have a short-lived Access Token(like an hour), and use use a Refresh Token to renew the Access Token when the token lifecycle ends. This isn't some crazy security benefit (since JWTs are not meant to be used like this) but this way, at least, we're reducing the surface of the possible attack.

The Goal for this issue would be to add a /auth/refresh handler, which takes a refresh token, processes it and returns an expected response. The following would be enough to make it useful:

• If the refresh token is expired, handler must return HTTP Status 401 - Unauthorised
• If the token is valid, return a HTTP Status 200 - OK response, and a cookie with Access Token as the value of the cookie (exactly like Sign In and Login With Github Methods)

Here are some good starting off points:

• https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
• https://oauth.net/2/grant-types/refresh-token/
• https://dev.to/abrichak/jwt-and-go-how-to-integrate-them-with-security-requirements-eh5

[guacamole]

this issue has been resolved by PR #126